Github.Com Grafana Grafana vulnerabilities

CVE-2021-43815 [HIGH] CWE-22 Grafana directory traversal for .cvs files Grafana directory traversal for .cvs files Today we are releasing Grafana `8.3.2` and `7.5.12`. This patch release includes a moderate severity security fix for directory traversal for arbitrary `.csv` files. It only affects instances that have the developer testing tool called [TestData DB data source](https://grafana.com/docs/grafana/latest/datasources/testdata/) enabled and configured. The vulnerability is limited in sc

CVE-2022-21702 [MEDIUM] CWE-79 Grafana proxy Cross-site Scripting Grafana proxy Cross-site Scripting Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for XSS for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [

CVE-2022-21713 [MEDIUM] CWE-639 Grafana API IDOR Grafana API IDOR Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](htt

CVE-2022-39307 [MEDIUM] CWE-200 Grafana User enumeration via forget password Grafana User enumeration via forget password Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate security fixes for CVE-2022-39307. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Release 8.5.15, only contai

CVE-2022-39229 [MEDIUM] CWE-287 Grafana when using email as a username can block other users from signing in Grafana when using email as a username can block other users from signing in Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39229 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security f

CVE-2022-35957 [MEDIUM] CWE-290 Grafana Escalation from admin to server admin when auth proxy is used Grafana Escalation from admin to server admin when auth proxy is used Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-p

CVE-2022-39324 [MEDIUM] CWE-79 Grafana Spoofing originalUrl of snapshots Grafana Spoofing originalUrl of snapshots To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient. When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out: • Snapshotname • Expire • Timeout(seconds) After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to th

CVE-2022-36062 [LOW] CWE-281 Grafana folders admin only permission privilege escalation Grafana folders admin only permission privilege escalation Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC). Release 9.1.6, latest patch, also containing security fix: - [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6

CVE-2024-1313 [HIGH] CWE-639 Grafana: Users outside an organization can delete a snapshot with its key Grafana: Users outside an organization can delete a snapshot with its key ### Summary The ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot ### Details An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), know

CVE-2024-1442 [HIGH] CWE-269 Grafana's users with permissions to create a data source can CRUD all data sources Grafana's users with permissions to create a data source can CRUD all data sources A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.

CVE-2023-6152 [MEDIUM] CWE-863 Email Validation Bypass And Preventing Sign Up From Email's Owner Email Validation Bypass And Preventing Sign Up From Email's Owner ### Summary Email validation can easily be bypassed because `verify_email_enabled` option enable email validation at sign up only. A user changing it's email after signing up (and verifying it) can change it without verification in `/profile`. This can be used to prevent legitimate owner of the email address from signing up. Another

CVE-2021-43798 [HIGH] CWE-22 Grafana path traversal Grafana path traversal Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0. Release v8.3.1, only containing a security fix: - [Download Grafana 8.3.1](https://grafana.com/grafana/download/8.3.1) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-1/) Release v8.2.7, only contain

CVE-2018-12099 [MEDIUM] CWE-79 Grafana Cross-site Scripting (XSS) Grafana Cross-site Scripting (XSS) Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.

CVE-2019-19499 [MEDIUM] CWE-200 Grafana Arbitrary File Read Grafana Arbitrary File Read Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

CVE-2018-18625 [MEDIUM] CWE-79 Grafana XSS via adding a link in General feature Grafana XSS via adding a link in General feature Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.

CVE-2018-18623 [MEDIUM] CWE-79 Grafana XSS in Dashboard Text Panel Grafana XSS in Dashboard Text Panel Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.

CVE-2023-4822 [MEDIUM] CWE-269 Grafana privilege escalation vulnerability Grafana privilege escalation vulnerability Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to

CVE-2023-3128 [CRITICAL] CWE-290 Grafana vulnerable to Authentication Bypass by Spoofing Grafana vulnerable to Authentication Bypass by Spoofing Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

CVE-2023-2183 [MEDIUM] CWE-284 Grafana has Broken Access Control in Alert manager: Viewer can send test alerts Grafana has Broken Access Control in Alert manager: Viewer can send test alerts ### Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. **Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the View

CVE-2023-2801 [HIGH] CWE-662 Grafana Missing Synchronization vulnerability Grafana Missing Synchronization vulnerability Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directl